A Boolean value that specifies the behavior for suppressing failures of writing to the audit log.

Applications should be notified for failures of writing to the audit log. If your application is not designed to handle audit failures, you should use this attribute to suppress failures in writing to the audit log.

If this attribute is true, exceptions other than OutOfMemoryException, StackOverFlowException, ThreadAbortException, and ArgumentException that result from attempts to write audit events are handled by the system, and are not propagated to the application. If this attribute is false, all exceptions that result from attempts to write audit events are passed up to the application.

The default is true.

serviceAuthorizationAuditLevel

Specifies the types of authorization events that are recorded in the audit log. Valid values include the following:

None: No auditing of service authorization events is performed.

Success: Only successful service authorization events are audited.

Failure: Only failure service authorization events are audited.

SuccessAndFailure: Both success and failure service authorization events are audited.

Child Elements

Parent Elements

This configuraton element is used to audit Windows Communication Foundation (WCF) authentication events. When auditing is enabled, either successful or failed authentication attempts (or both) can be audited. The events are written to one of three event logs: application, security, or the default log for the operating system version. The event logs can all be viewed using the Windows Event viewer.

By default, on Windows XP the audit events can be seen in the Application Log; while on Windows Server 2003 and Windows Vista, the audit events can be seen in the Security Log. The location of audit events can be specified by setting the auditLogLocation attribute to 'Application' or 'Security'. For more information, see How to: Audit Windows Communication Foundation Security Events. If the events are written in the Security Log, the LocalSecurityPolicy-> Enable Object Access should be set for "Success" and "Failure".

When looking at the event log, the source of the audit events is "ServiceModel Audit 3.0.0.0". Message authentication audit records have a category of "MessageAuthentication" while service authorization audit records have a category of 'ServiceAuthorization'.

Message authentication audit events cover whether the message was tampered with, whether the message has expired and whether the client can authenticate to the service. They provide information about whether the authentication succeeded or failed along with the identity of the client and the endpoint the message was sent to along with the action associated with the message.

Service authorization audit events cover the authorization decision made by a service authorization manager. They provide information about whether authorization succeeded of failed along with the identity of the client, the endpoint the message was sent to, the action associated with the message, the identifier of the authorization context that was generated from the incoming message and the type of the authorization manager that made the access decision.